NSA Gives Advice on Defending Against Nation-State Attackers

The head of NSA's offensive operations division explained how it uses vulnerabilities and how organizations can defend themselves.

Among the cache of documents leaked by U.S. National Security Agency (NSA) whistleblower Edward Snowden were files containing information on the agency's offensive operations, known as Tailored Access Operations (TAO). While Snowden's leaked documents have been a source of information on NSA activities, there is now another, more direct source: the NSA itself.
In an eye-opening 30-minute session at the USENIX Enigma conference in San Francisco on Jan. 28, Rob Joyce, chief of NSA's TAO, discussed how advanced persistent threats (APTs) target organizations and what techniques can be used to defend against those attacks. The Enigma session has now been posted to YouTube, enabling anyone with Internet access to watch the NSA explain how to attack and defend against nation-state adversaries.
"I'm from Tailored Access Operations, and from that perspective, it is very strange to be up here on a stage," Joyce said. "My talk is to tell you as a nation-state exploiter what you can do to defend yourself to make my life hard."
Joyce noted that TAO's efforts include gaining foreign intelligence by way of nation-state exploitation that supports a wide range of missions, from informing U.S. policy makers to protecting war fighters.

NSA TAO often has a better understanding of the networks that are targeted for exploitation, rather than the targeted networks owners have themselves, Joyce said.

"If you really want to protect your network, you really have to know your network, you have to know the devices and the security technologies inside it," Joyce said.
NSA TAO puts in the time to really understand the networks of targets, better perhaps even than the people that actually designed the network and those tasked with securing the network.
From an attack methodology, Joyce explained that there are a series of phases that occur when exploiting a target, starting with reconnaissance. After reconnaissance, an attacker looks to get in the door with an initial exploitation of a network. Once in the door, an attacker seeks to establish persistence and will also install tools. The initial point of entry into a target network isn't likely where all the information is kept, which is why once the attacker has persistence and tools in place, the next step is to move laterally within the network. The final phases of an intrusion are to collect and exfiltrate data from the target network.
From a defender's perspective, the goal is to disrupt an attacker's progression through the intrusion phases, Joyce explained. One simple recommendation he made is to reduce the potential attack surface by shutting down services that are not actually being used by the organization.
"It's not a new or amazingly insightful piece of advice," Joyce said in reference to his suggestion about shutting down unneeded services. He added that people would be surprised to realize all the things that are running on a network, versus the things that they think are supposed to be running on the network.
Joyce suggested that organizations run full penetration tests against their own networks to "poke and prod" for potential vulnerabilities, just like an adversary might do. While zero-day vulnerabilities do represent a risk, Joyce commented that they are not the primary attack vector.
"On any large network, I will tell you that persistence and focus will get you in and will achieve exploitation without the zero-day [exploits]," Joyce said.